DEV: Update DiscourseConnect nonce errors to be more descriptive (#14858)

DEV: Update DiscourseConnect nonce errors to be more descriptive (#14858)

diff --git a/app/models/discourse_single_sign_on.rb b/app/models/discourse_single_sign_on.rb
index 04812f1..31a4b83 100644
--- a/app/models/discourse_single_sign_on.rb
+++ b/app/models/discourse_single_sign_on.rb
@@ -50,8 +50,10 @@ class DiscourseSingleSignOn < SingleSignOn
   def nonce_error
     if Discourse.cache.read(used_nonce_key).present?
       "Nonce has already been used"
+    elsif SiteSetting.discourse_connect_csrf_protection
+      "Nonce is incorrect, was generated in a different browser session, or has expired"
     else
-      "Nonce has expired"
+      "Nonce is incorrect, or has expired"
     end
   end
 
diff --git a/spec/models/discourse_single_sign_on_spec.rb b/spec/models/discourse_single_sign_on_spec.rb
index ebc2d08..fdd34c5 100644
--- a/spec/models/discourse_single_sign_on_spec.rb
+++ b/spec/models/discourse_single_sign_on_spec.rb
@@ -544,7 +544,18 @@ describe DiscourseSingleSignOn do
       expect(sso.nonce_valid?).to eq true
 
       Discourse.cache.delete(sso.used_nonce_key)
-      expect(sso.nonce_error).to eq("Nonce has expired")
+      expect(sso.nonce_error).to eq("Nonce is incorrect, was generated in a different browser session, or has expired")
+    end
+
+    it "generates correct error message when nonce is expired, and csrf protection disabled" do
+      SiteSetting.discourse_connect_csrf_protection = false
+      _ , payload = DiscourseSingleSignOn.generate_url(secure_session: secure_session).split("?")
+
+      sso = DiscourseSingleSignOn.parse(payload, secure_session: secure_session)
+      expect(sso.nonce_valid?).to eq true
+
+      Discourse.cache.delete(sso.used_nonce_key)
+      expect(sso.nonce_error).to eq("Nonce is incorrect, or has expired")
     end
   end
 

GitHub sha: 5ac10e2e795f3fc5c61daa66f0bfb1d456e7f494

This commit appears in #14858 which was approved by eviltrout. It was merged by davidtaylorhq.